My answer is that the use of public key pairs is a lot wiser thing to do than using passwords or lists of passwords. I will focus on the things that are not very well-known on different forms of SSH authentication, and I see no other answer to mention them.
First of all, you need to understand that user authentication is a different and distinct process from the establishment of the secure channel. In simple terms, this means that first of all, the public key of the server is used (if it is accepted!) To build the SSH secure channel, allowing negotiation of a symmetric key that will be used to protect the remaining session, enable privacy channel, integrity protection, and server authentication.
After the channel is functional and secure, the authentication of the user takes place.
The two usual ways to do this are to use a password or a pair of public keys.
The password authentication works as you can imagine: the client sends his password on the secure channel, the server verifies that it is ok the password of the specific user and allows access.
In the case of the public key, the situation is very different. In this case, the public key of the user is stored on the server. What happens next, is that the server creates a random value (nonce), the number with the public key and sends it to the user. If the user is supposed to be, he can decipher the challenge and send it back to the server, which then confirms the identity of the user. This is the classic challenge-response model. (In SSHv2, something a little different but conceptually close is actually used)
As you can imagine, in the first case, the password is actually sent to the server (unless SSH uses the password response), in the second case, your private key never leaves the client . In the imaginary scenario, a person intercepts the SSL traffic and can decrypt it (with the help of a compromised server private key, or if you accept an incorrect public key when connecting to the server) or access to the server or client, your password will be known – with public-private key authentication and query response pattern, your private information will never fall into the hands of the attacker.
Thus, even if a server you are connecting to is compromised, other servers for which you are using the same key will not be compromised!
There are other benefits to using a public key pair: The private key should not be stored in plain text on your client computer, as you suggest. Of course, this leaves the private key file open for compromise, as would an unencrypted password file, but it is easier to decrypt (when connecting) and use the private key. It should be stored crypt, and you must provide a generally long password to decrypt it with each use.
Of course, this means that you will have to provide the long passphrase each time you connect to a server to unlock your private key. There are ways around this problem. You can increase system usage by using an authentication agent: it is software that unlocks your keys for the current session, when you log in to gnome, for example, or when you log in for the first time to your customer. type ssh remote-system-ip & # 39; ssh and log in, without providing a passphrase, and do it multiple times until you log out of your session.
To summarize, the use of public key pairs offers a lot more protection to use passwords or lists of passwords that can be captured if the customer, the server or the the secure session is compromised. In case you do not use a passphrase (which should not happen), public key pairs always offer protection against compromised sessions and servers.